STAFF AUDIT PRACTICE ALERT NO. 8 AUDIT RISKS IN CERTAIN

1666 K Street, NW Washington, D.C. 20006

Telephone: (202) 207-9100 Facsimile: (202)862-8430

www.pcaobus.org

STAFF AUDIT PRACTICE ALERT NO. 8

AUDIT RISKS IN CERTAIN EMERGING MARKETS

October 3, 2011

Staff Audit Practice Alerts highlight new, emerging, or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of the standards and rules of the PCAOB and relevant laws. Auditors should determine whether and how to respond to these circumstances based on the specific facts presented. The statements contained in Staff Audit Practice Alerts do not establish rules of the Board and do not reflect any Board determination or judgment about the conduct of any particular firm, auditor, or any other person.

Executive Summary

Emerging markets play an increasingly important role in the global economy given their high economic growth outlook and significant market size.1/ Recent disclosures of possible improprieties in financial reporting by companies based in certain large emerging markets in Asia and observations from the Board's oversight activities highlight the need for heightened awareness of risks when performing audits of companies with operations in emerging markets.

This practice alert focuses on risks of misstatement due to fraud ("fraud risks") that auditors might encounter in audits of companies with operations in emerging markets, auditors' responsibilities for addressing those risks, and certain other auditor responsibilities under PCAOB auditing standards. Local business practices and cultural norms in emerging markets may differ from those in more developed markets, and auditors should be alert to the effect of these differences on the risks of material misstatement. Auditors should focus on the audit procedures required to respond to those risks.

1/ According to information in the Statistical Appendix of International

Monetary Fund World Economic Outlook: Slowing Growth Rising Risks (September 2011), emerging market countries accounted for over 40 percent of global gross domestic product in 2010.

Staff Audit Practice Alert No. 8

October 3, 2011 Page 2

Fraud risks may be encountered in audits of companies in any region, whether the region is an emerging or developed market. Auditors have a responsibility to assess fraud risks in the financial statements that they audit and to perform audit procedures that respond to those risks, regardless of the regulatory environment.2/ The specific nature and characteristics of fraud risks, however, can vary depending upon, among other things, the environment in which the company operates, including the maturity and the robustness of the regulatory environments in the countries in which the company conducts its business activities.

Authorities in many emerging market countries are taking steps to improve investor protection. The PCAOB, however, has observed from its oversight activities some conditions in audits of certain companies in emerging markets that indicate heightened fraud risk. Other situations have come to light in recent corporate filings with the Securities and Exchange Commission ("SEC") and in SEC orders suspending trading in securities of certain companies in emerging markets. In just two months in 2011, more than 24 companies with their principal place of business in the People's Republic of China ("PRC") filed Forms 8-K with the SEC reporting auditor resignations, accounting irregularities, or both.3/ In some instances, the auditor's letter of resignation stated that the auditor resigned because of circumstances that could constitute illegal acts for purposes of Section 10A of the Securities Exchange Act of 1934 ("Exchange Act").4/ Since then the SEC’s actions have expanded, including instituting stop order proceedings against two PRC-based companies.5/ Further, additional auditor resignations have occurred.6/

2/ See paragraph 4 of Auditing Standard No. 12, Identifying and

Assessing Risks of Material Misstatement and paragraphs 3-4 of Auditing Standard No. 13, The Auditor’s Responses to the Risks of Material Misstatement.

3/ See letter from SEC Chairman Mary Schapiro, dated April 27, 2011, to the Chairman of the House Subcommittee on TARP, Financial Services, and Bailouts of Public and Private Programs, Congressman Patrick McHenry, at http://s.wsj.net/public/resources/documents/BARRONS-SEC-050411.pdf.

4/ See the discussion in the section on illegal acts below.

5/ See SEC Press Release, Stop Order Proceedings Instituted Against China Intelligent Lightning and Electronics, Inc., and China Century Dragon Media, Inc. (June 13, 2011) at: http://www.sec.gov/news/press/2011/2011-127.htm.

6/ See, e.g., Longtop Financial Technologies Limited, Form 6-K (May

23, 2011), Exhibit 2 at:



Examples of conditions and situations indicating heightened fraud risk in certain companies in emerging markets that have been observed by PCAOB staff or reported in an SEC filing include:

• Existence of two separate and different sets of financial books and records;

• Discrepancies between the company's financial books and records and audit evidence obtained with respect to the existence and accuracy of cash balances, accounts receivable, and revenues;

• Auditor difficulties in confirming cash balances, including when requesting to visit the offices of the company's bank, or questions about the authenticity of bank statements provided to the auditor;

• Auditors' follow-up visits to bank offices indicating serious discrepancies between bank confirmations provided to the auditor and the bank's actual records, such as previously undisclosed material borrowings and no record of or significant differences regarding certain transactions;

• Attempts by management to intercept or alter confirmation requests or responses;

• Irregularities in sales contracts, such as a company-specific seal affixed on the sales contract that does not belong to the purported customer named in the contract;

• Recognizing revenue from contracts or customers whose existence could not be corroborated;

• Recording sales of products shipped to warehouses or freight forwarders where no customer is identified;

• Undisclosed material facts surrounding acquisition transactions, sales transactions, and off-balance-sheet transactions with related parties;

• Recording of assets for which evidence of control, ownership, or title is either unclear or difficult to corroborate;

• Potential double counting of fixed assets; http://www.sec.gov/Archives/edgar/data/1412494/000095012311052882/d82501exv99w2.htm.



• Recording of uncorroborated operating expenses for which the business purpose is unclear;

• Manipulation of the accounting records to mischaracterize or conceal payment of bribes or other improper payments;

• Significant unexplained discrepancies between amounts included in the financial statements in SEC filings and amounts included in financial reports to other regulators, such as local authorities;

• Use of personal-type bank accounts held in the name of corporate officers or employees instead of corporate-type bank accounts for company business; and

• Unusual delays by management in the production of routine documents requested by the auditor.7/

PCAOB standards require auditors to perform their audits to respond to fraud risks and other risks of material misstatement, and to obtain relevant and reliable evidence that is sufficient to support the auditor's opinion.8/ This practice alert discusses certain considerations that may be relevant when performing audits in emerging markets.

Although the conditions, situations, and fraud risks described in this alert have been observed in audits of companies in certain emerging markets, they might also be present at companies in other markets. The matters discussed in this alert are relevant whenever such conditions, situations, or fraud risks are present in audits of companies located in emerging or developed markets.

Consideration of Fraud is an Integral Part of the Audit

The consideration of fraud is an integral part of the audit under PCAOB standards. PCAOB standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free

7/ In addition to indicating a heightened fraud risk, in some

circumstances, the conditions and situations in this list also may be indications of illegal acts which are discussed in the section on illegal acts below.

8/ See, generally, AU sec. 316, Consideration of Fraud in a Financial Statement Audit; Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, Auditing Standard No. 13 and Auditing Standard No. 15, Audit Evidence.



of material misstatement due to error or fraud.9/ The auditor should exercise professional skepticism, and "conduct the audit engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present."10/ PCAOB auditing standards related to the auditor's assessment of and response to risk11/ and AU sec. 316, collectively, describe the auditor's responsibilities for identification, assessment, and response to fraud risks.

Identifying and Assessing Fraud Risk Factors12/

Fraud risks may arise from a variety of sources, including external factors and internal factors. The auditor should perform risk assessment procedures13/ and evaluate whether the information gathered from those procedures indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks.14/

As part of risk assessment procedures, the auditor "should obtain an understanding of the company and its environment"15/ in order to "understand the events, conditions, and company activities that might reasonably be expected to

9/ See paragraph 3 of Auditing Standard No. 8, Audit Risk.

10/ AU sec. 316.13.

11/ Auditing Standard No. 8, Auditing Standard No. 9, Audit Planning, Auditing Standard No. 10, Supervision of the Audit Engagement, Auditing Standard No. 11, Consideration of Materiality in Planning and Performing an Audit, Auditing Standard No. 12, Auditing Standard No. 13, Auditing Standard No. 14, Evaluating Audit Results, and Auditing Standard No. 15.

12/ According to paragraph 65 of Auditing Standards 12, "[f]raud risk factors are events or conditions that indicate (1) an incentive or pressure to perpetrate fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances in which fraud exists." See, generally, AU sec. 316.85.

13/ See paragraphs 4-58 of Auditing Standard No. 12, which describe risk assessment procedures the auditor should perform.

14/ See paragraphs 59-73 of Auditing Standard No. 12, which discuss identifying and assessing the risks of material misstatement, due to error or fraud, using information obtained from performing risk assessment procedures.

15/ Paragraph 7 of Auditing Standard No. 12.



have a significant effect on the risks of material misstatement."16/ This includes, for example, understanding:17/

• The relevant industry and regulatory factors, including the legal, and political environment, which may include matters such as:

o The company's significance in the regional or local economy and its level of influence over its industry, and regional or local government, and

o Cultural norms in the business and regulatory environments;

• The company's objectives, strategies, and related business risks; its organizational structure; and sources of funding of the company's operations;

• The company's significant investments, including equity method investments, joint ventures, and variable interest entities ("VIEs");18/

• The sources of the company's earnings, including the relative profitability of key products and services; and

• The company's key supplier and customer relationships.

Significant differences can exist between the business environments faced by companies with operations in emerging markets and those in developed markets, which may affect the risk of misstatement in the financial statements. For example, companies in emerging markets may be subject to rapidly changing or less consistent regulatory oversight and reporting requirements, whereas companies in developed markets may not.19/ These and other aspects of the business environment in emerging markets can create incentives, pressures, and opportunities that may lead to a heightened risk of fraud.

16/ Ibid.

17/ See paragraphs 9-17 of Auditing Standard No. 12.

18/ See Subtopic 810-10 of the Financial Accounting Standards Board’s Accounting Standards Codification for a definition of a variable interest entity.

19/ See, generally, Silvia Iorgova and Li Lian Ong The Capital Markets of Emerging Europe: Institutions, Instruments and Investors, IMF Working Paper WP/08/103 (April 2008), at: www.imf.org/external/pubs/ft/wp/2008/wp08103.pdf.



Incentives and Pressures

As with public companies in developed countries, emerging market companies seeking to raise capital in international markets may wish to present a strong financial position and robust growth in revenue and earnings. In turn, this may create incentives or pressures to manipulate the financial statements rather than report poor results or bad news to the investing public. For example, if a company failed to consummate a previously announced acquisition, there is a risk that management might manipulate the financial statements to make them appear as though the acquisition has occurred. As another example, management at remotely located operating units of large multinational companies locations may feel pressure to report inflated results.

In addition to the incentives and pressures routinely considered in audits of public companies, auditors should consider any unique characteristics of the emerging market company or its environment that might result in specific fraud risks. For example, a company might engage in a significant business partnership with a state-owned entity or VIE. In that situation, the company might be motivated to consolidate the partnership or VIE to strengthen its reported financial position, even if significant legal restrictions prevent the company from obtaining a controlling interest in the partnership or assets. For instance, a company might enter into contractual arrangements with a VIE that are designed to enable the company to consolidate the VIE, even though there might be significant uncertainties regarding the economic substance of those arrangements.20/ As another example, legal restrictions on the movement of company assets might lead companies to maintain substantial amounts of cash or other liquid assets in business units in certain jurisdictions, which can create incentives for misappropriation of assets.

Opportunities

Some fraud risks arise when internal or external conditions and weak internal controls provide opportunities for management or employees of the company to engage in fraudulent activities. Certain aspects of the business environment in emerging markets can create opportunities to perpetrate fraud, as discussed in the examples below.

For example, a company in an emerging market might have a dominant presence in the geographic region in which it is located because it is the single largest employer in the region, or it may exercise control over raw materials on

20/ Additionally, such VIE structures can result in increased risks

related to omitted, incomplete, or inaccurate disclosures. See paragraphs 12-13 of Auditing Standard No. 12.



which other companies in the region depend. The company's management might have strong ties with the local or state government. In such circumstances:

• Management might be able to dictate terms or conditions to local suppliers or customers, which might result in non-arm's length transactions.

• Management might be able to pressure personnel of a local bank or other third parties to provide fraudulent information to the auditor.

• Company employees might not be willing to report instances of fraud for cultural reasons or fear of retribution from management. While whistleblower protections have been introduced in many emerging market countries, observers have said that there is still a need to improve the effectiveness of the whistleblower programs.21/

Additionally, weak internal controls and lack of robust governance mechanisms have been observed in companies in certain emerging market countries. This may stem from a lack of familiarity in local cultures with certain governance concepts, such as prohibition of self-dealing, even where similar legal concepts exist.22/ For example, such a culture might provide opportunities for management to influence other senior company officials or various third parties to provide false or misleading information to the company's auditors.

If criticizing or questioning a figure of authority is contrary to the local culture, the company's employees may be hesitant to express any concerns about management's actions to an auditor. Such an environment can provide additional opportunities for management to override controls or intentionally misstate the financial statements.23/

As another example, a company in an emerging market might be created as a spin-off from a larger private or state-owned entity. The operating components of the larger entity may be among the company's largest suppliers or customers. In certain instances, the same individual or group that controls the

21/ See Organization for Economic Co-operation and Development

(OECD) Corporate Governance in Asia 2011: Progress and Challenges, Corporate Governance, OECD Publishing (2011), pg 36, at: http://dx.doi.org/10.1787/9789264096790-en.

22/ Ibid, pg 25. 23/ See AU sec. 316.08.



company might also control the company's suppliers and customers.24/ Such situations might provide opportunities for management to:

• Enter into undisclosed side agreements with the related parties, or

• Collude with the related parties to create false documentation to support fictitious transactions.

Some emerging market companies employ as their chief financial officer ("CFO") an individual based in, or from, another region or country. Such a CFO might lack knowledge of the local language and the company's business practices and, therefore, might not be able to effectively perform certain important entity-level controls, thereby creating opportunities for company personnel to commit or conceal fraudulent misstatement of the financial statements. Similar conditions and risks may be present at significant subsidiaries of multi-national companies in emerging markets.

In some emerging market countries, controlling shareholders exercise strong oversight over executive management and foster a corporate culture focused on long-term value creation. In other jurisdictions, controlling shareholders have the opportunity to engage in abusive conduct, a problem that is magnified in jurisdictions where transparency is poor and where a weak rule of law fails to give minority investors proper judicial recourse.25/

The Auditor's Response to Fraud Risks

PCAOB standards require that the auditor design and implement audit responses that address the identified and assessed fraud risks.26/ The auditor's responses should include responses that have an overall effect on how the audit is conducted (e.g., making appropriate engagement assignments) and responses

24/ See OECD Guide on Fighting Abusive Related Party Transactions

in Asia, OECD Publishing (2009), pgs 9-12 and 14-16, at: www.oecd.org/dataoecd/39/57/43626507.pdf.

25/ See Melsa Ararat and George Dallas (International Finance

Corporation), Corporate Governance in Emerging Markets: Why it Matters to Investors – and What They Can Do About It, Global Corporate Governance Forum (2011), pg 11, at: http://www.ifc.org/ifcext/cgf.nsf/Content/PSO_22_Melsa.

26/ See paragraph 3 of Auditing Standard No. 13.



involving the nature, timing, and extent of audit procedures (e.g., modifying the planned audit procedures).27/

Under PCAOB standards, "[t]he auditor's responses to the assessed risks of material misstatement, particularly fraud risks, should involve the application of professional skepticism in gathering and evaluating audit evidence."28/ Ineffective responses to fraud risks may result in the auditor's failure to detect material misstatement of the financial statements or failure to obtain sufficient appropriate audit evidence to support the opinion in the auditor's report. Examples of the application of professional skepticism in response to the assessed fraud risks may include "modifying the planned audit procedures to obtain more reliable evidence regarding relevant assertions and ... obtaining sufficient appropriate evidence to corroborate management's explanations or representations."29/

Performing Audit Procedures to Respond to Fraud Risks

The auditor should perform substantive procedures, including tests of details, that are specifically responsive to the assessed fraud risks, including certain procedures to address the risk of management override of controls.30/

Many of the conditions discussed above that indicate heightened fraud risk appear to involve possible attempts to overstate the amounts of assets or revenues in the companies' financial statements. When performing audit procedures to address certain fraud risks, especially those involving the existence of assets such as cash and accounts receivable, it is important to

27/ See Auditing Standard No. 13, which establishes requirements

regarding designing and implementing appropriate responses to the risks of material misstatement.


29/ Ibid.

30/ See paragraphs 13 and 15 of Auditing Standard No. 13. Additionally, as part of the auditor's response to the assessed risks of material misstatement due to fraud, the auditor should incorporate an element of unpredictability in the selection of auditing procedures to be performed. See paragraph 5c of Auditing Standard No. 13. Also, see paragraphs 14-15 of Auditing Standard No. 5.



obtain audit evidence through direct written communication with a knowledgeable third party who is objective and free from bias with respect to the audited entity.31/

If, through the performance of risk assessment procedures, other audit procedures, or by other means, the auditor becomes aware of conditions that call for a heightened degree of professional skepticism with respect to the authenticity of documents, the auditor should perform additional procedures to determine that the reliability of evidence obtained in the course of the audit has not been compromised.32/ In such circumstances, it would be unlikely for auditors to rely solely on management-provided documentation without obtaining documentation directly from third parties to corroborate management's assertions.

Confirmations

To respond to fraud risks related to the company's accounts with a bank or amounts due from customers, it is important for the auditor to confirm amounts included in the company's financial statements directly with a knowledgeable individual from the bank or customer who is objective and free from bias with respect to the audited entity rather than rely solely on information provided by the company's management.33/ Under PCAOB standards, "[e]vidence obtained from a knowledgeable source that is independent of the company is more reliable than evidence obtained only from internal company sources."34/

Further, under PCAOB standards, the auditor "should maintain control over the confirmation requests and responses."35/ If the auditor identifies a risk

31/ See paragraphs .26-.27 of AU sec. 330, The Confirmation Process and the section on confirmations below.

32/ See paragraph 9 of Auditing Standard No. 15.

33/ See AU sec. 330.34, which states that there is a presumption that the auditor will request the confirmation of accounts receivable during an audit except under certain conditions that are unlikely to be present when fraud risks are present. For example, one of those conditions, the auditor's combined assessed level of inherent and control risk is low, is unlikely to be the case when a fraud risk is present.

34/ Paragraph 8 of Auditing Standard No. 15. Also, AU secs. 330.26-.27 describe the auditor's responsibilities regarding confirmation with knowledgeable third parties who are objective and free from bias with respect to the audited entity.

35/ AU sec. 330.28.



that the company's management, or someone else at management's request, could attempt to intercept or alter the confirmation requests or responses, the auditor should maintain control over the confirmation process by taking actions aimed specifically at addressing that risk. For example, if the auditor uses a courier to expedite the delivery of confirmation requests, the courier should be reliable and independent from management to ensure that the confirmation requests are delivered directly to the intended recipient. If there is a heightened risk of management interference in the confirmation process, it might be necessary for the auditor to deliver the confirmation request personally and/or to observe the intended recipient of the confirmation request complete the response in order to communicate directly with an independent and knowledgeable source.

Also, the auditor should evaluate who the intended recipient of the confirmation request is and whether the company's management has any influence over this individual to provide false or misleading information to the auditor.36/ For example, if the company is the only or a significant customer or supplier of the confirming entity, the staff of that entity may be more susceptible to pressure from the company's management to falsify documentation provided to the auditor. As another example, the auditor might determine that confirmation responses cannot be relied upon if it appears that management interfered with the process because responses to confirmation requests were received from a personal e-mail account rather than a company network domain, or multiple confirmations are returned with similar handwriting and the same date, or confirmations returned from companies with different physical addresses contain mail stamps indicating same time processing.

If there is a heightened risk that the intended recipient is susceptible to management influence, the auditor should consider whether the response will provide meaningful and appropriate evidence and determine whether other procedures are necessary to obtain sufficient appropriate audit evidence.37/

Revenue Recognition

Under PCAOB standards, "[t]he auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks."38/ Management might use a variety of tools to attempt to overstate revenue or conceal improprieties in recording revenue, including entering into improper bill-

36/ See AU sec. 330.26-.27. 37/ See paragraph 4 of Auditing Standard No. 15 and AU sec. 330.27. 38/ Paragraph 68 of Auditing Standard No. 12.



and-hold transactions, generating invoices and customer contracts for non-existent transactions, altering original documentation, and establishing fake customers and mailing addresses.

To develop an effective response to such fraud risks, it is important for the auditor to obtain an understanding of the company and its environment, including the sources and composition of revenues; specific attributes of revenue transactions; the company's business and financial reporting processes regarding revenue and amounts due from customers; and unique industry considerations. Such an understanding is important in order for the auditor to consider the ways in which revenue could be fraudulently misstated in order to design appropriate audit procedures to detect those types of misstatements. Also, PCAOB standards require the auditor to gain an understanding of the business rationale for significant unusual transactions and whether that rationale (or the lack thereof) suggests that the transactions may have been entered into to engage in fraudulent financial reporting or conceal misappropriation of assets.39/

Exercising professional skepticism requires the auditor to, among other things, perform procedures to obtain and critically evaluate evidence from all sources rather than rely solely on management representations about the company's performance.40/ For example, if the auditor performs an analytical procedure regarding revenue and management represents that a significant unexpected increase in revenue from the prior year results from increased production, the auditor should obtain evidence to corroborate this representation and critically evaluate whether the representation is reasonable based on the evidence obtained, such as, whether the company is capable of producing the additional output.41/

While the auditor is not expected to be an expert in document authentication, the auditor should exercise professional skepticism in reviewing documentation obtained as audit evidence, especially documentation provided by the company. Under PCAOB standards, "if conditions indicate that a document may not be authentic or that the terms in a document have been modified but that the modifications have not been disclosed to the auditor, the auditor should modify the planned audit procedures or perform additional audit procedures to

39/ See AU sec. 316.66. 40/ See paragraph 7 of Auditing Standard No. 13 and AU sec. 333.02-

.04. 41/ See paragraphs 5-9 of Auditing Standard No. 14. When the auditor

is performing an analytical procedure as a substantive test, see the requirements of AU sec. 329, Substantive Analytical Procedures.



respond to those conditions and should evaluate the effect, if any, on the other aspects of the audit."42/ For example, if the auditor suspects that management has falsified sales documentation, the auditor should perform additional procedures, such as performing procedures to obtain documentation directly from the company's customers or suppliers to compare it to documents provided by management.

Transactions with Related Parties

It is not uncommon for companies in emerging markets to be owned or controlled by a small group of individuals or a family. These individuals often serve as the senior members of the company's management and also may control some of the entities that the company does business with, such as customers or suppliers. Accordingly, transactions with related parties may play a significant role in the company's operations. The auditor, therefore, should be aware of a risk of undisclosed related party transactions or side agreements.

To obtain sufficient appropriate audit evidence with respect to related party transactions, an auditor should design and perform procedures that take into account the specific environment in which a company operates.43/ In addition, pursuant to section 10A(a)(2) of the Exchange Act, auditors are required to include "procedures designed to identify related party transactions that are material to the financial statements or otherwise require disclosure therein."44/

Some companies in emerging markets might have significant transactions with related entities that are not audited or are audited by another firm. For example, a company might purchase substantially all of its raw materials and utility services from or extend significant loans to a related unaudited entity. Paragraph A.2 of AU sec. 316.85 states in the Opportunities subsection that "significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm" constitute an example of a fraud risk factor that provides opportunities to engage in fraudulent financial reporting. Staff Audit Practice Alert No. 5, Auditor Considerations Regarding Significant Unusual Transactions, issued on April 7, 2010, describes certain


43/ See AU sec. 334, Related Parties, which describes procedures for the auditor to perform "to identify related party relationships and transactions and to satisfy himself concerning the required financial statement accounting and disclosure."

44/ See 15 U.S.C. §78j-1(a).



requirements in PCAOB auditing standards regarding significant unusual transactions.45/

Other Matters that Affect Fraud Risk

Under PCAOB standards, "the auditor should evaluate whether the accumulated results of auditing procedures and other observations affect the assessment of the fraud risks made throughout the audit and whether the audit procedures need to be modified to respond to those risks."46/ Matters indicating a heightened risk of fraud may include, for example:47/

• Inconsistent, vague, or implausible responses from management – In situations in which management fraudulently recorded non-existent sales transactions, management's explanation of an unexpected increase in revenue may be vague or inconsistent with the auditor's understanding of the company's operations.

• Conflicting or missing evidence – Documents provided by management may appear to have been altered or have internal inconsistencies. The auditor should critically assess such inconsistencies and discrepancies to identify whether they are indicative of fraudulent activities by the company's management or employees. For example:

o The name of a third party on the letterhead of a confirmation response may be different from the name on a seal used to authenticate a signed document.

o Amounts confirmed by the local branch of a bank may be different from those confirmed by the bank headquarters.

o There may be conflicting or missing documentary support for the company's rights to assets.

• Problematic relationships between the auditor and management – To conceal fraudulent financial reporting, management might attempt to control the audit process by limiting the auditor's access

45/ Staff Audit Practice Alert No. 5 is located on the Board's web site

at: http://pcaobus.org/Standards/QandA/04-07-2010_APA_5.pdf.


47/ See Appendix C of Auditing Standard No. 14.



to sources of audit evidence, such as the company's personnel or third parties. For example:

o Management could request that the auditor send confirmation requests and receive replies through personnel of the company.

o Management could instruct the bank not to respond to the auditor's request to confirm the company's cash, deposit, or loan payable balances with the bank.

o Management engaged in fraudulent financial reporting might be unwilling to add or revise disclosures in the financial statements to make them more transparent.

o Management engaged in fraudulent financial reporting might be unwilling to appropriately address significant deficiencies in internal control on a timely basis, e.g., before the end of a financial reporting period.

Under PCAOB standards, restrictions on the scope of the audit imposed by the company's management or by circumstances, such as – among other things – the inability to obtain sufficient appropriate evidence or an inadequacy in the accounting records, may require the auditor to qualify his or her opinion or to disclaim an opinion on the company's financial statements.48/

Other Considerations

Client Acceptance and Continuance

Under PCAOB standards, client acceptance and continuance is a required element of quality control for an auditor.49/ This includes establishing policies and procedures to provide reasonable assurance that the auditor:

• "Undertakes only those engagements that the firm can reasonably expect to be completed with professional competence.

48/ See paragraph .22 of AU sec. 508, Reports on Audited Financial

Statements. Also, Auditing Standard No. 5 provides direction regarding modifications to the auditor's report due to restrictions on the scope of the audit of internal control over financial reporting.

49/ See paragraph .07 of QC sec. 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice.



• Appropriately considers the risks associated with providing professional services in the particular circumstances."50/

Conditions and situations previously described in this alert that indicate heightened fraud risk in companies with operations in emerging markets may also place additional demands on the auditor’s professional competence. In performing acceptance and continuance assessments for clients with operations in emerging markets, the auditor should consider his or her own ability to perform audits in emerging markets and, if using the work of accountants outside the auditor’s own firm, the auditor’s ability to supervise or assume responsibility for that work in accordance with PCAOB standards.

The PCAOB previously directed auditors' attention to the standards that apply to using the work of other auditors and engaging assistants from outside the firm – including auditors and assistants based outside the U.S. – in Staff Audit Practice Alert No. 6, Auditor Considerations Regarding Using the Work of Other Auditors and Engaging Assistants from Outside the Firm ("Practice Alert No. 6"), issued on July 12, 2010.51/ Practice Alert No. 6 noted, among other things, that the following factors may affect how an auditor plans and performs an audit of the financial statements of an issuer with substantially all of its operations outside of the U.S., including emerging market countries:

• Use of local audit firms or assistants from an outside firm to complete a portion of the audit work;

• The need to understand the local language;

• Additional travel time and expense necessary to complete an audit; and

• The need to understand the local business environment in which the client operates.

Making Engagement Assignments and Coordinating the Auditor's Response with Another Accounting Firm

PCAOB standards require that the knowledge, skill, and ability of engagement team members with significant engagement responsibilities, and the extent of supervision of engagement team members, be commensurate with the

50/ QC sec. 20.15.

51/ Practice Alert No. 6 is located on the Board's web site at: http://pcaobus.org/Standards/QandA/2010-07-12_APA_6.pdf



risks of material misstatement, including fraud risks.52/ The higher risk areas of the audit, including the areas of fraud risk, require more supervisory attention from the engagement partner. When the auditor uses the work of accountants outside the auditor's own firm, the auditor should take into account the knowledge, skill, and ability of each engagement team member from outside the firm.53/ Through the Board's oversight activities, the Board's staff has observed instances in certain audits of emerging market companies in which the engagement partner or other engagement team members inappropriately delegated to junior assistants the identification of audit issues, analysis of documents provided by the company, and certain communication with management and third parties; additionally, supervision by the auditor of the junior personnel was not in compliance with PCAOB standards.

In some situations, another independent accounting firm (including accounting firms affiliated with the same network as the auditor) performs an audit of and issues a report on one or more of the company's subsidiaries, divisions, branches, components, or investments. The auditor should inquire about the professional reputation of the other auditor and adopt other appropriate measures, e.g., ascertaining that the other auditor is familiar with the relevant financial reporting requirements and PCAOB standards.54/ PCAOB inspection reports, when available, may provide the auditor with relevant information.55/ The

52/ See paragraph 6 of Auditing Standard No. 10 and paragraph 5 of

Auditing Standard No. 13. If the auditor uses as assistants personnel of another accounting firm or individual accountants not employed by an accounting firm, the auditor should follow the same requirements as for supervising assistants from the auditor's own firm.

53/ See paragraph 6 of Auditing Standard No. 10. 54/ See paragraph .10 of AU sec. 543, Part of Audit Performed by

Other Independent Auditors.

55/ According to PCAOB Rule 2100, each public accounting firm that (a) prepares or issues any audit report with respect to any issuer; or (b) plays a substantial role in the preparation or furnishing of an audit report with respect to any issuer must be registered with the Board. The Board publishes on its Web site a list that names every registered firm that has triggered an inspection requirement under PCAOB Rule 4003 and notes whether the firm has ever been inspected. See http://pcaobus.org/Inspections/Pages/InspectedFirms.aspx. In addition, the Board has published on its Web site a listing of issuer audit clients of non-U.S. registered firms in jurisdictions where the PCAOB had been denied access to conduct inspections. See



auditor should adopt appropriate measures to assure the coordination of the auditor's activities with those of the other auditor, including the audit procedures performed in response to fraud risks.56/ Through the Board's oversight activities, the Board's staff has observed instances in certain audits of companies in emerging markets in which the auditor did not properly coordinate the audit with another auditor. When significant parts of the audit are performed by other auditors, the auditor must decide whether the auditor's own participation in the audit is sufficient.57/

Making appropriate engagement assignments and coordinating the auditor's response with another auditor necessarily entails overcoming any language barriers. In some audits of companies in emerging markets, key engagement team members58/ might be from outside the country in which substantially all of the company's operations, its top management, or the other auditor is located. In those circumstances, the auditor should take the necessary steps to enable effective communication among the engagement team members, effective communication between the auditor and the company's personnel or the other auditor, and effective review of documentation prepared in a foreign language.59/

Individual accountants or accounting firms that participate in the audit from the same region where the company is located (the "local accountants") may be aware of local customs, cultural norms, and business practices that have an impact on the company's corporate governance and business activities. When planning and performing the audit, the auditor should discuss such matters with the local accountants and determine whether any of these matters affect fraud

http://pcaobus.org/International/Inspections/Pages/IssuerClientsWithoutAccess.aspx.

56/ See AU sec. 543.10, and AU sec. 316.53.

57/ See AU sec. 543.02.

58/ The term "key engagement team members" includes all engagement team members who have significant engagement responsibilities, including the engagement partner. See paragraph 50 of Auditing Standard No. 12.

59/ See paragraph 5 of Auditing Standard No. 10 and AU sec. 543.10.



risks. The auditor should discuss with the local accountants identified fraud risks and determine that appropriate steps are taken to respond to these risks.60/

Illegal Acts

During the course of an audit, the auditor may determine that violations of laws or government regulations by company management or employees may constitute illegal acts, as defined by AU sec. 317, Illegal Acts by Clients,61/ and section 10A of the Exchange Act.62/ AU sec. 317 describes the considerations an auditor should give to the possibility of illegal acts as well as the auditor's responsibilities when a possible illegal act is detected. In addition, pursuant to section 10A(a)(1) of the Exchange Act, auditors are required to perform procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of the financial statement amounts.63/ The auditor’s responsibility to detect and report misstatements resulting from illegal acts having a direct and material effect on the determination of financial statement amounts is the same as that for misstatements caused by error or fraud.64/

When the auditor becomes aware of information concerning a possible illegal act, the auditor should obtain an understanding of the nature of the act, the circumstances in which it occurred, and sufficient other information to evaluate the effect on the financial statements, as well as the implications for other

60/ See paragraph 5 of Auditing Standard No. 10, paragraphs 51-52 of

Auditing Standard No. 12, and AU sec. 316.53.

61/ See AU sec. 317.02. For example, even though not fraud, a violation of the books and records provisions of the Foreign Corrupt Practices Act ("FCPA"), Exchange Act sections 13(b)(2) through (b)(7), would be an illegal act as defined in AU sec. 317. These FCPA provisions generally require issuers with securities registered under section 12 of the Exchange Act or required to file reports under section 15(d) of the Exchange Act, among other things, to make and keep books and records that fairly reflect the transactions and assets of the issuer and to devise and maintain internal accounting controls sufficient to permit the preparation of financial statements in conformity with the applicable financial reporting framework.

62/ See 15 U.S.C. §78j-1(a).

63/ Ibid.

64/ See AU 317.05.



aspects of the audit, such as the reliability of representations of management.65/

The implications of particular illegal acts will depend on the relationship of the perpetration and concealment, if any, of the illegal act to specific control procedures, and the level of management or employees involved.66/ The auditor should also evaluate the adequacy of disclosure in the financial statements of the potential effects of an illegal act on the entity's operations.67/ If the illegal act results in uncorrected misstatements of even relatively small amounts, it further could have a material effect on the financial statements. For example, an illegal payment of an otherwise immaterial amount could be material if there is a reasonable possibility that it could lead to a material contingent liability or a material loss of revenue.68/ If the auditor concludes that an illegal act has or is likely to have occurred, AU sec. 317 requires that the auditor, among other things, determine "that the audit committee, or others with equivalent authority and responsibility, is adequately informed with respect to [the] illegal acts."69/

Section 10A(b) of the Exchange Act imposes additional requirements that apply when the auditor "detects or otherwise becomes aware of information indicating that an illegal act (whether or not perceived to have a material effect on the financial statements) has or may have occurred."70/

Subsequent Discovery of Facts Existing at the Date of the Auditor's Report

AU sec. 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report, describes procedures that "should be followed by the auditor who, subsequent to the date of the [audit report], becomes aware that facts may have existed at that date which might have affected the report had he or she then been aware of such facts."71/ The auditor should follow the requirements of AU sec. 561 if, subsequent to the date of the audit report, the auditor becomes aware of information indicating the possibility of fraudulent financial reporting.

65/ See AU sec. 317.10 and .16. See also section 13(b)(2) of the

Exchange Act.

66/ See AU sec. 317.16.

67/ See AU sec. 317.15.


69/ AU sec. 317.17.

70/ See 15 U.S.C. §78j-1(b).

71/ AU sec. 561.01.



Contact Information

Inquiries concerning this Staff Audit Practice Alert may be directed to:

Martin F. Baumann, Chief Auditor and Director of Professional Standards

202-207-9192, [email protected]

Keith Wilson, Deputy Chief Auditor 202-207-9134, [email protected]

Dima Andriyenko, Associate Chief Auditor 202-207-9130, [email protected]

Elena Bozhkova, Assistant Chief Auditor 202-207-9298, [email protected]